Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing throw 2 PfSense

    Routing and Multi WAN
    2
    6
    908
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boulate
      last edited by

      Hello,

      I'm not sure if I have to post this question here or in OpenVPN, but I think it's a routing problem :

      Everything is explained on this little picture I made :

      • I have my PC : 10.0.1.1/24
      • My two networks are linked by an OpenVPN tunnel.
      • I can ping every interfaces in the LAN network of my Pfsense client.
      • I CAN'T ping my "4G modem" who is on the WAN interface of my Pfsense client.

      Who can I ping an interface on the WAN network of my pfsense client from my PC ?
      (I already try to put a "route add -net 192.168.1.0/24 10.0.2.254" on my "pfsense principal")

      Is this a firewall configuration problem, a routing configuration problem or an OpenVPN configuration problem ?

      Thank you ! :)

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Presumable it's a routing issue.

        I guess the modem sends responses to the pings to its upstream gateway, since it has no route for it.  To solve, a static route for the server side LAN network had to be added to the modem itself, but it will not have an option to do so, I think.
        Other solution would be to do NAT on the WAN interface. Add an outbound NAT rule to WAN for the server side LAN network and let it translate to the interface address.

        1 Reply Last reply Reply Quote 0
        • B
          boulate
          last edited by

          Thank you very much for you answer !

          I don't understand why the "4G modem" don't know how to respond to my "PfSense client" on the WAN of the Pfsense client (who is just the "lan" for "4G modem").

          They are on the same network. "PfSense client" not act on the 3rd layer to indicate his IP address during the routing encapsulation process ?

          I'll try this :

          Other solution would be to do NAT on the WAN interface. Add an outbound NAT rule to WAN for the server side LAN network and let it translate to the interface address.

          But I don't really know how to do it in pfsense :/

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Above you wrote, the modem doesn't response to ping from the PC in 10.0.1.1/24.
            Now you say, it doesn't response to the VPN client? To ping from the client it should response anyway, if the WAN is set up anyhow well.

            1 Reply Last reply Reply Quote 0
            • B
              boulate
              last edited by

              Yes, the goal is to respond to my client 10.0.1.1. But in the process to respond to my client, he has to first respond to "pfsense client" who will route the packet to "pfsense principal", etc.

              I'm sorry if i'm not clear (hardest for me in english).

              My idea was : If "4g Modem (192.168.0.1)" can respond to "Pfsense client (on 192.168.0.100)", and if "Pfsense client (on 10.0.2.1 and 10.0.200.2)" can respond to my "Poste de travail local (10.0.1.1)", the it must be a rooting problem only on the "Pfsense client" no ?
              If it was on "4G modem" then the modem would not respond to ping from "Pfsense client" ?

              I'm wrong ?!?

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                @boulate:

                My idea was : If "4g Modem (192.168.0.1)" can respond to "Pfsense client (on 192.168.0.100)", and if "Pfsense client (on 10.0.2.1 and 10.0.200.2)" can respond to my "Poste de travail local (10.0.1.1)", the it must be a rooting problem only on the "Pfsense client" no ?

                It works similar to this.

                If your PC in 10.0.1.1/24 sends a packet to the 4G modem, the packet has the source address 10.0.1.1 and the destination IP 192.168.0.1 when it arrives at the modem. Since you have a site to site VPN, the VPN tunnel network itself is irrelevant here. The packets are just routed over that subnet.
                So the 4G modem will send its response to 10.0.1.1, but since this address doesn't fit to any of the subnets on its interfaces and it has no special route for this host, it will send the packet to its upstream gateway. Presumable that's the internet provider.
                However the modem will response correct to the pfSense clients WAN 192.168.0.100, because this is a subnet connected to its own interface.

                So let's do NAT to get it work:
                Go to Firewall > NAT > Outbound, if the rule configuration type is set to Automatic set it to Hybrid or manual and hit save.
                Then add a new rule with
                interface = WAN
                source = 10.0.1.0/24
                destination = 192.168.0.0/24 (or any if you also want to access internet hosts over the VPN)
                translation = interface address
                Save it.

                This NAT rule will translate the source address in packets coming from 10.0.1.0/24 to the clients WAN address. So your modem will send responses to that back to the client pfSense and this one will send it back over the VPN to the PC 10.0.1.1.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.